Software Engineering Group Department of Computer Science Nanjing University http://seg.nju.edu.cn Technical Report No. NJU-SEG- 2009-IJ-001 Aspect-Oriented Modeling and Verification with Finite State Machines Dianxiang Xu, Omar El Ariss, Weifeng Xu, Linzhang Wang Postprint Version. Originally Published in: Journal of Computer Science and Technology, 24(5): 949-961, Sept. 2009. Most of the papers available from this document appear in print, and the corresponding copyright is held by the publisher. While the papers can be used for personal use, redistribution or reprinting for commercial purposes is prohibited.
40
Embed
Aspect-Oriented Modeling and Verification with Finite State … · 2014-05-04 · Therefore, aspects must be applied with care. To assure the quality of an aspect-oriented system,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Software Engineering Group Department of Computer Science Nanjing University http://seg.nju.edu.cn
Technical Report No. NJU-SEG- 2009-IJ-001
Aspect-Oriented Modeling and Verification with
Finite State Machines
Dianxiang Xu, Omar El Ariss, Weifeng Xu, Linzhang Wang
Postprint Version. Originally Published in: Journal of Computer Science and Technology,
24(5): 949-961, Sept. 2009.
Most of the papers available from this document appear in print, and the corresponding copyright is held by the
publisher. While the papers can be used for personal use, redistribution or reprinting for commercial purposes is
where “||”means parallel composition. Putting this together with the FSP processes for the
CarSimulator and Controller woven models and the SpeedControl class model, we obtain the
complete FSP specification for the cruise control system.
3.4 Aspect Verification
After the woven models and class models are transformed into FSP processes, we formalize
system properties according to the system requirements and verify the FSP processes against the
properties. As mentioned earlier, LTSA allows properties to be expressed as property processes
and/or FLTL assertions.
We can verify an aspect-oriented state model in an incremental manner, that is, check the
class models first and then the aspect models together with their base models and related class
models. The incremental verification can determine aspect problems if the classes are already
proven correct. Katz [6] has discussed how spectative, regulative, invasive aspects affect the
properties of their base programs. This aspect category is helpful for identifying the properties
that aspects should preserve or invalidate. In the cruise control system, for example, the
requirement “OFF00 should be reached eventually after engine is turned on” must be met no
matter whether the aspects are applied.
For Research Only
25
To verify correctness of aspects, we are also interested in the particular properties that are
changed or introduced by aspects. Depending on the application, an aspect can be expected to
validate or invalidate a specific property of its base classes. For example, when an aspect is used
to enforce the contract of the base classes, it implies that the base classes have not yet enforced
the contract. We can define properties that should be violated (or satisfied) by the base classes
alone but satisfied (or violated) after the aspect is composed. Consider the CarSimulator model
in Figure 2. It violates the following safety property:
property SAFETY= (
{carSimulator.engineOn,carSimulator.engineOff,
carSimulator.brake, carSimulator.on,
carSimulator.off, carSimulator.resume}->SAFETY
| {carSimulator.accelerate}->SAFETYCHECK),
SAFETYCHECK=(
{carSimulator.engineOff, carSimulator.brake,
carSimulator.on, carSimulator.off,
carSimulator.resume}->SAFETY
| {carSimulator.accelerate}->SAFETYCHECK
| {carSimulator.engineOn}->ERROR).
The following is part of the LTSA output when the generated FSP process for the CarSimulator
model in Figure 2 is checked against the above property:
Trace to property violation in SAFETY:
carSimulator.accelerate
carSimulator.engineOn
The trace to property violation reflects the safety problem discussed in subsection 2.3. The
corresponding sequence of states and events in the class model is <OFF00, accelerate, OFF10,
engineOn, ON10>. The above safety property, however, is satisfied after the CarSimulatorFix
aspect is woven into CarSimulater if the aspect disables the event CarSimulator.accelerate at the
initial state (i.e. if the advice of atIgnitionOff has an empty advice model, which means removal
For Research Only
26
of the selected transitions in Figure 3). Note that the advice model in Figure 3 allows the
CarSimulator.accelerate event to be received, yet without changing the state. Thus,
<carSimulator.accelerate, carSimulator.engineOn> is a safe event sequence. In this case, the
above property specification does not apply to the aspect model in Figure 3. In general, aspect
verification may require modifying the concrete property specification of its base classes even for
a similar property if the property relies on the ordering of events or states.
Properties with respect to an aspect may not make sense to the individual base classes. For
instance, the CruiseControlIntegrator aspect in the cruise control system involves two classes.
To verify its correctness, the cruise control properties are defined over the two classes, other than
each individual class. They are in essence inter-class invariants enforced by the aspect.
Obviously, they are meaningless when only an individual class is checked. This is similar for the
SpeedControlIntegrator aspect. In addition to safety/progress property processes, FLTL
assertions can be defined to express various system properties including safety and liveness.
LTSA automatically verifies the given properties and checks to see if deadlock exists.
Moreover, our approach automatically inspects if there are unreachable states in an aspect-
oriented state model. Consider the states OFF10 and OFF01. They are reachable from the initial
state OFF00 in the base model CarSimulator (Figure 2), but unreachable in the woven models
(Figure 6 and Figure 7). It is the CarSimulatorFix aspect that makes them unreachable so as to
avoid the unsafe situation. As a matter of fact, reachability analysis is conducted when a state
model is converted into an FSP process (refer to Step 1.6 of Algorithm 2). A generated FSP
process contains no unreachable states. If a generated FSP process has missed an expected state,
it indicates that the original aspect-oriented state model is incorrect. For the expected
unreachable states, it is safe to remove them and the transitions associated with them. The
For Research Only
27
removal does not lose any information for further verification. For example, Figure 6 can be
reduced to Figure 8. The generated FSP processes for the two models are the same. Similarly, the
model in Figure 7 is reduced when it is transformed into an FSP process.
Figure 8. The reduced model of Figure 6.
4. APPLICATIONS AND EVALUATIONS
We have fully implemented our approach in the Java-based tool MACT2. With the tool support,
we have been able to apply our approach to three non-trivial event-based systems - the aspect-
oriented cruise control system [8], telecom (a sample program in the AJDT toolkit3), and
banking4.
To evaluate the effectiveness of verification, we have applied our approach as a heavyweight
formal method to the cruise control and telecom systems – we have modeled all aspects and
related classes and formalized and verified a comprehensive set of requirements for each
2 MACT (Model-based Aspect Checking and Testing) accepts textual specifications of aspect-oriented state models.
We have also implemented a separate tool for the graphical notation of aspect modeling with state machines based
on the open source UML tool ArgoUML (http://argouml.tigris.org). It can export the graphical representations of
aspect and class state models to MACT. 3AspectJ Development Toolkit: http://www.eclipse.org/ajdt/. AspectJ is the representative AOP language built upon
Java. 4 www. manning.com/laddad/
For Research Only
28
subsystem (each subsystem consists of aspects of interest and related classes for modeling and
verification). Such heavyweight applications of formal methods have been a significant
challenge. On one hand, it was difficult to define a comprehensive set of system requirements for
each aspect and related classes. On the other hand, it was not easy to formalize every requirement
(in fact property formalization can be more difficult than modeling). In practice, our approach
can be used as a lightweight method, focusing on the modeling and verification of critical system
components and requirements. This is the case for the banking system, which consists of 282
classes and 12 aspects (27K line of code). The application of our approach to the banking system
has focused on the modeling and checking of the aspects for concurrency control of read/write
access to the database and related classes.
Table 1. Subjects of the empirical study
Subjects Cruise control Telecom
Number of classes 9 10
Number of aspects 3 3
Number of system properties
formalized
63 32
Number of aspect model mutants
created
33 13
Table 1 lists the metrics of the cruise control and telecom systems. The underlying logic of the
cruise control system is much more complex than telecom according to their aspect-oriented
models and number of formalized requirements. For example, the former has twice as many
formalized properties.
For each subsystem consisting of an aspect and related classes, we first built an aspect-
oriented state model, formalized the properties according to the system requirements, and
checked the aspect-oriented model against the properties. This way, we obtained the correct
model for each of the subsystems. This indicates that our approach has successfully verified the
For Research Only
29
correct models. However, it is also interesting to know whether or not our approach can detect
flaws in aspect-oriented state models. To further evaluate our approach, we created mutants
(variations) of the correct aspect-oriented state models according to the fault category of aspect
design and checked each model mutant to see if any property was violated.
The fault category of aspect models implies the various ways an aspect model can go wrong
(as our focus is on aspects, we do not consider the potential faults of class model). It consists of
the following fault types:
(FT1) Incorrect pointcut with a missing join point. The consequence is that the desired advice
is not applied to the join point;
(FT2) Incorrect pointcut with an extra join point. The consequence is that extra advice is
applied to the join point;
(FT3) Incorrect advice where a transition has a wrong starting (ending) state or event/action;
(FT4) Incorrect advice with a missing transition (state);
(FT5) Incorrect advice with an extra transition (state);
(FT6) Incorrect advice with a missing guard for a guarded transition or with an extra guard
condition for an unguarded transition;
(FT7) Incorrect aspect or advice precedence.
The above fault category is similar to the fault model of AOP [5][12]. They cover incorrect
pointcuts, incorrect advice and incorrect aspect precedence, yet at different development phases
(design vs. programming). The above fault category is specific to the aspect-oriented state
models.
A model mutant of a correct aspect-oriented state model is a variation of the model. We
create a model mutant by seeding one potential fault of the above category into an aspect model.
For Research Only
30
It indicates a particular way that the aspect may be modeled incorrectly. We have created 33 and
13 mutants for the two applications, respectively. All of them were determined to be flawed
because they either led to a deadlock or violated some property. This demonstrates that our
approach is indeed effective for assuring the quality of aspect models.
5. RELATED WORK
There is a growing body of work on aspect-oriented modeling with UML[13]-[21]. It exploits the
meta-level notation of UML or extends the UML notation for specifying crosscutting concerns.
Most of the work, however, is not concerned with aspect verification due to the informal or semi-
formal nature of UML. A recent survey can be found in [7].
Since finite state models have long been in use for rigorous specification of object-oriented
software [10], sate-based aspect modeling is of particular interest. Elrad et al. have proposed an
approach to aspect-oriented modeling with Statecharts [13][21]. Base state models and aspect
state models are represented by different regions of Statecharts. An aspect first intercepts the
events sent to the base state models and then broadcast the events to the base state models.
Composition of base models and aspect models relies on a specific naming convention as the
weaving mechanism is implicit. In comparison, our work uses a rigorous formalism for capturing
crosscutting elements (inter-model declaration, join point, pointcut, and advice) with respect to
the state models of classes. Aspects and classes are composed through an explicit weaving
mechanism. Xu and Nygard [22] have developed aspect-oriented Petri nets for threat-driven
modeling and verification of secure software. The intended functions, threat scenarios, and
security features of a system are all formalized by Petri nets. Verification is conducted with
For Research Only
31
respect to the correctness and absence of threat scenarios, as opposed to desired system
properties.
Several methods for model-checking aspect-oriented programs have been proposed.
Ubayashi and Tamai [23] use model-checking to verify whether the woven code of an aspect-
oriented program contains unexpected behavior. They also propose a model-checking framework
that allows crosscutting properties to be defined as an aspect and thus separated from the
program body. Denaro and Monga [24] report a preliminary experience with model-checking a
concurrency control aspect. They manually build the aspect model in PROMELA (the input
language of the SPIN model checker) and verify the deadlock problem of the synchronization
policy. Since the transformation is done by hand, the conformance between the PROMELA
program and aspect code remains an open issue. Nelson et al. [24] use both model checkers and
model-builders to verify woven programs. The above work does not involve aspect-oriented
modeling.
Krishnamurthi et al. [26] adapt model-checking for verifying properties against advice
modularly. Given a set of properties and a set of pointcut designators, this approach
automatically generates sufficient conditions on the program‟s pointcuts to enable verification of
advice in isolation. It assumes that the programs and advice are given as state machines, which
represent the control-flow graphs of program fragments. In a series of papers, Katz and his group
have addressed various issues of model-checking aspect-oriented code. In[27][28], model
checking tasks are automatically generated for the woven code of aspect-oriented programs. This
approach takes advantage of the Bandera system [29] that generates input to model checking
tools directly from Java code, and hence the woven code of AspectJ programs. In [30], they treat
crosscutting scenarios as aspects and use model checking to prove the conformance between the
For Research Only
32
scenario-based specification of aspects and the systems with aspects woven into them. In [31],
they propose an approach to generic modular verification of code-level aspects. They check an
aspect state machine against the desired properties whenever it is woven over a base state
machine that satisfies the assumptions of the aspect. A single state machine is constructed using
the tableau of the LTL description of the assumptions, a description of the joinpoints, and the
state machine of the aspect code.
Our work is different from the above methods for model-checking aspect-oriented programs.
The crosscutting notions (pointcuts, advice, and aspects) of the aspect-oriented state models in
our approach are specified with respect to the design-level state models, as opposed to the
programming constructs or control flow graphs of aspect-oriented programs. In the cruise control
system model, for instance, the abstract state OFF00 (ignition=OFF && throttle=0 &&
brakepadel=0) involves three instance variables in the implementation. Aspect models are
allowed to introduce new states, events, and transitions. Nevertheless, the approaches to modular
verification of aspects [26][31] can be adopted to enhance our work.
Among the efforts to define formal semantics of aspects, some have been accompanied by
proposals on employing the semantics for verification. For instance, Andrews [32] uses process
algebras to offer a foundation for AOP. This work places emphasis on the correctness proofs of
program weaving. It uses program equivalence to establish the correctness of a particular weaver.
Xu, et al. [33] reduce aspect verification to prior work on reasoning about implicit invocation
systems. They suggest using model- rather than proof-theoretic techniques. It is not clear whether
verification works in a way that is meaningful to aspects and what the formal properties about
implicit invocation verification mean in the context of aspects. The above approaches to the
aspect semantics are essentially orthogonal to our work.
For Research Only
33
6. CONCLUSIONS
We have presented the approach to aspect-oriented modeling and verification with finite
state machines. The applications of our approach have demonstrated that aspect-orientation can
provide an effective mechanism for dealing with crosscutting concerns and incremental
modification requirements. Aspect-oriented verification through model checking can uncover
system design problems before the system is implemented. This will reduce overall development
costs due to earlier detection of problems.
Aspect-oriented modeling and verification can also facilitate detecting programming faults
through model-based testing. For example, the model-based testing method [5] generates test
cases from an aspect-oriented state model for exercising the resultant aspect-oriented program.
When correctness of the model is assured by the model-checking method, each failure of test
execution implies that the code is faulty (as long as the test oracle including test result evaluation
is reliable). Therefore, combination of verification and model-based testing can assure high-
quality system implementation.
7. ACKNOWLEDGMENT
This work was done while the first author was with North Dakota State University. Mr. Ganesh
K. Vellaswamy contributed to the javacc parser for the aspect-oriented state models. Mr. Izzat
Alsmadi defined an initial set of properties for the cruise control system. All these properties
have been overridden by the empirical studies reported in this article. We thank Professors Jeff
Magee and Jeff Kramer for providing the source code of LTSA, which greatly facilitated the
integration of MACT with LTSA. The research was supported in part by the ND EPSCoR IIP-SG
For Research Only
34
via NSF Grant EPS-047679. The fourth author was supported in part by the National Natural
Science Foundation of China (Grant No. 60603036), the National Grand Fundamental Research
973 Program of China (Grant No.2009CB320702), and the National 863 High-Tech Program of
China (Grant No.2009AA01Z148).
8. REFERENCES
[1] Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J. and Griswold, W.G. An
overview of AspectJ. In Proc. of ECOOP’01, pp. 327-353, 2001.
[2] Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C.V., Loingtier, J. M. and
Irwin, J. Aspect-oriented programming. In Proc. of ECOOP’97, pp. 220-242, 1997.
[3] Rinard, M., Salcianu, A., and Bugrara, S. A classification system and analysis for aspect-
oriented programs. In Proc. of FSE’04, Nov. 2004.
[4] Sullivan, K., Griswold, W.G., Song, Y., Cai, Y., Shonle, M., Tewari, N, and Rajan, H.
Information hiding interfaces for aspect-oriented design, In Proc. of ESEC/FSE'05, pp. 166-
175, 2005.
[5] Xu, D. and Xu, W. State-based incremental testing of aspect-oriented programs. In Proc. of
the Fifth International Conf. on Aspect-Oriented Software Development (AOSD’06), pp. 180-
189, Bonn, Germany, March 2006.
[6] Katz, S. Aspect categories and classes of temporal properties. Transactions on Aspect-
Oriented Software Development, Rashid, A. and Aksit, M. (Eds.), LNCS 3880, 1:106-134,
2006.
[7] Schauerhuber, A., Schwinger, W., Retschitzegger, W., and Wimmer, M. A survey on aspect-
oriented modeling approaches, Technical Report, Vienna University of Technology. January